Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allauth ACCOUNT_UNIQUE_EMAIL doesn't work as expected #617

Open
dontic opened this issue Apr 16, 2024 · 1 comment
Open

allauth ACCOUNT_UNIQUE_EMAIL doesn't work as expected #617

dontic opened this issue Apr 16, 2024 · 1 comment

Comments

@dontic
Copy link
Contributor

dontic commented Apr 16, 2024

There is an edge case when using email as the authentication method as well as email verification. The server will crash if the user hasn't verified the email but a new registration with that same email is tried.

Steps to reproduce:

  1. Set the following allauth settings
ACCOUNT_AUTHENTICATION_METHOD = "email"  # username, email or username_email
ACCOUNT_USER_MODEL_USERNAME_FIELD = None
ACCOUNT_EMAIL_REQUIRED = True  # Needs to be True to use email as the auth method
ACCOUNT_USERNAME_REQUIRED = False
ACCOUNT_UNIQUE_EMAIL = True
ACCOUNT_EMAIL_VERIFICATION = "mandatory"  # "none", "optional", "mandatory"
  1. Register a new email
  2. Try to register the same email without first validating it

Analysis

I found that this edge case is not handled in the serializer:

def validate_email(self, email):
    email = get_adapter().clean_email(email)
    if allauth_account_settings.UNIQUE_EMAIL:
        if email and EmailAddress.objects.is_verified(email):
            raise serializers.ValidationError(
                _("A user is already registered with this e-mail address."),
            )
    return email

The validation error for unique email is only raised if the account has been verified.

Here's the proposed fix in #618:

def validate_email(self, email):
    email = get_adapter().clean_email(email)
    if allauth_account_settings.UNIQUE_EMAIL:
        if email and EmailAddress.objects.is_verified(email):
            raise serializers.ValidationError(
                _("A user is already registered with this e-mail address."),
            )
        else:
            query = EmailAddress.objects.filter(email__iexact=email)
            if query.exists():
                email_address = query.first()
                if email_address.user.has_usable_password():
                    raise serializers.ValidationError(
                        _("A user is already registered with this e-mail address but hasn't been verified their email yet."),
                    )
    return email

Note that in the meantime users can implement this fix by creating a custom RegisterSerializer as explained in the docs.

The wording is not the best and can be changed.

Tested and working:

image

Opened #618

@danryu
Copy link

danryu commented Apr 17, 2024

Just ran into this issue myself.
Though I am configuring with
ACCOUNT_EMAIL_VERIFICATION ="optional"
but I think your fix will work in this use-case as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants